In this second in our series, we look at the long awaited update to NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” which is expected to be released in late spring 2023. NIST SP 800-171 forms the backbone for contractor security requirements in Department of Defense regulations and the CMMC program. It remains unclear if this update will impact the rollout of the CMMC program.
As we start down the path of 2023, with the pandemic not quite behind us and economic uncertainty looming, the world can seem unsettled. Some things do appear to be a constant. Included in those are regulatory and court scrutiny on privacy and cybersecurity. As companies’ privacy and security teams make plans for their 2023 compliance efforts, it can be helpful to look back at last year’s developments.
As we get settled into the New Year it is a good time to reflect on your company’s current data security and plans for 2023. In this five-part series, we reflect on the top important cybersecurity developments for companies that do business with the federal government (whether directly or as a supplier or reseller) and what we anticipate in the new year.
New York’s Attorney General Letitia James recently secured a $1.9 million settlement from online retailer Zoetop Business Company, Ltd. to settle allegations that Zoetop had improperly handled a 2018 data breach and subsequent consumer notification. The scrutiny given to Zoetop provides insights into the NYAG’s expectations around breach investigations and response.
Continue Reading Lessons From New York AG Scrutiny of Breach Investigation and Response
The FTC recently took action against the online alcohol marketplace company Drizly and its CEO for alleged security failures. The case arose from a 2018 data breach which was caused – according to the FTC – by poor security measures stemming from the company’s alleged failure to devote sufficient resources or attention to data security.
Continue Reading FTC Action Against Drizly and CEO Provides Insight Into Its Security Expectations
In a recent settlement with the New York Department of Financial Services, EyeMed Vision Care LLC agreed to pay a $4.5 million penalty and undertake remedial measures to increase its cybersecurity. This includes undertaking an action plan based on a comprehensive risk assessment, subject to the review and approval of NYFSD.
Continue Reading NYDFS’s $4.5 Million EyeMed Cyber Settlement Reminder To Industry
The White House recently hosted a group of industry and government partners to discuss the development and implementation of an Internet of Things (IoT) labeling program. This program would develop a common label to help consumers easily recognize which devices meet the highest cybersecurity standards to protect against vulnerabilities.
Continue Reading White House Aims for Spring 2023 Rollout of Internet of Things Labeling Program
The Cybersecurity and Infrastructure Security Agency (CISA) is seeking input on various aspects of proposed incident reporting regulations under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (discussed here). CISA issued a Request for Information (RFI) and has scheduled a number of listening sessions across the country. Written comments may be submitted until November 14, 2022.
Continue Reading CISA Seeking Input on Cyber Incident Reporting for Critical Infrastructure
The CFPB recently published a circular clarifying liability under consumer financial protection law for financial companies that fail to safeguard consumer data. The circular describes how firms may be violating the CFPA’s prohibition on unfair acts or practices with respect to the handling of consumer data by not implementing adequate measures to protect against data security incidents. According to the CFPB. in the event of large scale, customer-base-wide breaches, consumers may become victims of targeted identify theft.
Continue Reading CFPB: Safeguard Consumer Data or Face Liability
The New York Attorney General recently announced a data security-related settlement with Wegmans Food Markets. The issue arose in April 2021 regarding a cloud-based incident. At that time a security researcher notified Wegmans that the company had an Azure cloud storage container that was unsecured. Upon investigation, the company determined that the container had been misconfigured and that three million customer records had been publicly accessible since 2018. The records included email addresses and account passwords.
Continue Reading Wegmans Settles With NYAG for $400,000 Over Data Incident